Duqu 2.0 Hits Kaspersky Lab(securelist.com) |
Duqu 2.0 Hits Kaspersky Lab(securelist.com) |
That seems like a very nice spin on a successful attack that was eventually detected. How long were the attackers able to spy on their internal systems? Perhaps they didn't need ongoing access and simply wished to steal client files or documents.
Relevant quote:
"Company officials were unable to provide Ars with an estimate of how many megabytes or gigabytes of data were extracted from their network, in part because the custom network connections Duqu used may have bypassed normal logging procedures. The company hasn't ruled out the possibility the attackers obtained Kaspersky Lab source code, but there are no signs they tried to compromise any of Kaspersky's 400 million users."
from http://arstechnica.com/security/2015/06/stepson-of-stuxnet-s...
-- Kaspersky Labs
Stuxnet was a combined Israeli/US attack on Iran's nuclear capability. Kaspersky is a Russian security company which was started with government support, and is believed to still have connections there. Russia and Iran are allies.
Now look at how it played out. The US and Israel attacked Iran. Kaspersky tracked it down and publicized it to the world. And now some combination of the US, Israel, or close allies launched a spying attack on Kaspersky. Which, for all we know, may actually be an important part of the Russian cybersecurity infrastructure.
For all that organizations like the NSA do wrong (like spying on all of us), this is the kind of thing that we actually wanted them doing when they were created.
From what I know this is simply not true. Got a source?
But I think your overall point holds. Kaspersky's 400 million user base includes a boatload of US/Western users, including enterprise and government clients. This simply cannot NOT be of some concern to respective countries, so it's perfectly logical that they would want to keep an eye on the situation.
Given how Russian business works, though, it would seem likely that there is a connection.
But http://www.bloomberg.com/news/articles/2015-03-19/cybersecur... is an article that gives more recent reason for why Kaspersky is a potentially interesting target for Western spies.
Russia and Iran are allies? US is going to use Iran against Russia to sell Iranian gas and oil to Europe and subdue Russian influence - that's why US decided to fix relations with Iran and come to a deal allowing to finish the sanctions. It's more like competitors than allies.
Of course interests shift over time. We are indeed doing things to improve relations with Iran. But that doesn't change the fact that in recent history we've been calling them part of "the axis of evil" and they have been calling us "the great Satan".
This is true for every single piece of software ever written. Msft is no different in this regard.
http://www.symantec.com/connect/blogs/duqu-20-reemergence-ag...
Eugene Kaspersky: "Why Hacking Us Was A Silly Thing To Do"
http://www.forbes.com/sites/eugenekaspersky/2015/06/10/why-h...
2011: CVE-2011-3402
2014: CVE-2014-4148 CVE-2014-6324 CVE-2015-2360
https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...
[1] https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...
His speech to congress was unprecedented and a sign he was possibly being kept out of the loop in the negotiation deals. I wouldn't blame Obama, Bebe's emotions (or delusions) seem to get in the way of any attempts at peace talks.
Not only is this a total stretch, it's complete hearsay.
The reasons for hackers to go after Kaspersky are just as numerous as state sponsored teams to. I find it hard to say it was definitively one or other without further evidence. But in this "government surveillance" panic people are currently in, it's easy to just point a finger and say it was the NSA because this version "looks similar" to another version already deployed.
It's about as solid as saying there were similarities between the type of malware used in the Sony Pictures attack and code used to attack South Korea last year - which was laughed off by most of the info sec community.
http://www.kaspersky.com/about/news/virus/2015/Duqu-is-back
"Kaspersky Lab would like to reiterate that these are only preliminary results of the investigation. There is no doubt that this attack had a much wider geographical reach and many more targets. But judging from what the company already knows, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geo-political interests."
If it's the latter, that's what I would be more interested in.
The internet was designed to survive a war. Can it handle being the battlefield?
----
> We protect those people in the face of such risks ... generally speaking, deliberately attacking medics on a battleground is simply despicable and disgraceful.
No further comment.
I can think of several reasons why someone might want to try to steal our technical data, but each one of them doesn’t seem to be worth the risk.
I don't get it: what's the risk here? As far as I can see, the only risk is that their malware is removed from the victim machines. The risk of blowback to the perpetrators is vanishingly small as far as I can see.
>Kaspersky researchers have described it as a "0-day trampoline" because it allowed their malicious modules to jump directly into the Windows kernel, the inner part of the operating system that has unfettered access to system memory and all external devices. The trampoline exploit allowed the malware to bypass digital signature requirements designed to prevent the loading of malicious code into the OS kernel space.
>"What is really impressive here—what I call really amazing—is the entire malware platform depends on this zero-day to work," Raiu said. "So if there is no zero day to jump into kernel mode this doesn't work."
Now this will be patched, and they will need something completely different for the next framework.
Any large nation state probably has a nice cache of 0-days ready to roll out at any given time, but they’re still a limited resource that could be used to attack other targets. Attacking Kaspersky pretty much guarantees that the 0-days are blown once the infiltration is discovered.
Mind sharing those?
>he was KGB.
A claim unsupported by evidence.
>Given how Russian business works
"Given how I assume Russian business works based at most on anecdotal evidence." FTFY
Anyway I wouldn't bother to reply to your post, if you hadn't had used source that is full of shit, pardon my French. You can check out Kaspersky's blog for rebuttal of this article. Now if you insist on inductive reasoning I can offer you no evidence to the contrary, of course. And no, I don't work for Russian troll agency and am not Russian in any way. I doubt they would bother with ycombinator anyway. In no way this is attack on you of course, but I find these kind of posts severely annoying because of aforementioned reasons.
Then there's also Coq and such.
Of course, usually the amount of vulnerabilities exponentially correlates to the size of the codebase.
Another surprising revelation was that need-to-know structure isn't necessarily congruent with management structure or chain of command. That is, one can report to someone who isn't authorized to know what one is doing. As I recall, the focus was on financial accountability, duplication of effort, empire building, etc. But there are deeper concerns about accountability.
Then they probably already have their new techniques all ready to go. Maybe even deployed in the field.
>Raiu went on to say the reliance on the highly unusual vulnerability is one of the things underscoring Duqu developers' extraordinary talent and the plentiful number of additional unpatched security bugs with the same unusual capabilities they likely have at their disposal.
>"These guys are so confident to develop their entire platform based on this zero day it means if they get caught and this zero day is patched they probably have another one they can use, which I would say is a pretty scary thought," he said. "Nobody develops an entire malware platform based on just one simple assumption that this zero day will work forever, because eventually it will be discovered and patched. And when it is patched your malware is not going to work anymore. I think that's also very scary and quite impressive."
Still the attackers' resources are not unlimited - they lost some development time, and maybe some unique opportunities which were possible only with this particular zero-day.
Which is probably already developed, tested, and deployed.
A quick Google search finds lots of confirmation of that.
However the link that I provided to http://en.wikipedia.org/wiki/Iran%E2%80%93Russia_relations says that Iran and the USSR had poor relations (due to the whole atheism thing), but Iran and Russia have had good relations since the USSR fell. Do you have a reference to Iran calling Russia any version of Satan in, say, the last 15 years?
I agree with your overall conclusion that it's possible the attack was carried out by some special agencies, and that it might be reasonable from their standpoint.
But the chain of causality you draw looks to me as an arbitrary fantasy; or to say better, only one of many possible explanations. It puts together several unverified assumptions - statements which are not 100% true, but only probable to some degree.
The probability of all that happen together is a multiplication of all the probabilities, and therefore a small number.
There is no evidence that Kaspersky Labs work for Russian intelligence. Yes, there were articles where journalists say "oh, he worked in KGB, so we can imagine they still cooperate". The fact we can imagine something doesn't mean it's true. All we can say for sure, Kaspersky Labs maybe work for KGB, or maybe not (including they work for somebody else, why not imagine this).
Does Russia want to support Iranian nuclear program, up to providing cyber security? IMHO unlikely, but again - maybe yes, maybe no.
Even if Russia decided to support Iran, there is no proof Russia employed Kaspersky and not a proper department of intelligence service - maybe Kaspersky detected stuxnet fairly, during their anti-virus research (their primary business, isn't it possible)?
Even that stuxnet is an US intelligence creature is not a 100% fact; there were strong evidence to support that, but we don't know 100%.
0.1 * 0.2 * 0.4 * 0.9 = 0.0072
Put your own number if you find your assumptions more realistic:
P(Kaspersky Labs work for KGB) = 0.8
P(Russia wants so provide cyber security for Iranian nuclear program) = 0.5
P(Kasperky Labs detected stuxnet specifically because
of intelligence order, as russian intelligence
has no other cybersecurity departments) = 0.5
P(stuxned is developed by US intelligence to attack Iran) = 0.95
Anyway, the combined probability of 0.8 * 0.5 * 0.5 * 0.95 = 0.19For example instead of Russia wanting to provide cyber security, Russia saw the opportunity to embarrass the US and score brownie points with Iran.
Instead of Kaspersky detected because of intelligence order, Kaspersky detected because they happened to be the ones in a position to do so.
And if Russia wanted to provide cyber security for Iran, then the odds are high that Kaspersky would be a component of that. Not because Russia has no other options, but because it is an obvious component that can be made available.
No, you are missing the fact that there are lot of possible explanations outside of the scenario.
Even if the current attack was by US and/or Israel intelligence, penetrating Kaspersky may be useful for them just as it is, to keep eye on Kaspersky anti-virus technologies and find a way to to avoid them. Without any "revenge" for Iran.
Moreover, I've just checked https://en.wikipedia.org/wiki/Stuxnet#History , stuxnet wasn't detected by Kaspersky, it was another company. Also, "The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update". So this whole episode doesn't present Kaspersky as an active enemy of US intelligence.
I doubt very very much Russia wants to help Iran to get nuclear weapons - no country will help another country to get nuclear weapons, even if they can win "brownie points".